igor - Fotolia
SWIFT network communications: How can bank security be improved?
The SWIFT network has increasingly been abused by cybercriminals to carry out bank fraud and theft. Expert Michael Cobb explains possible ways to boost security.
The Society for Worldwide Interbank Financial Telecommunication (SWIFT) has been under fire recently after a series of high-profile attacks. It has acknowledged that the threat of attack is "persistent, adaptive and sophisticated -- and it is here to stay," but what's ailing the SWIFT network and what, if anything, can be done about it?
SWIFT was founded in 1973 to establish common standards for sending and receiving information about financial transactions and to replace the Telex technology being used at the time. The first message sent over SWIFT's communications network was in 1977, and its messaging services are now used by 11,000 financial institutions in more than 200 countries, exchanging millions of messages every week.
Although the SWIFT network doesn't actually handle the transfer of money -- it only sends payment orders -- the nature of these messages makes them of huge interest to hackers, cybercriminals and nation states. Even though SWIFT shares financial records with various government agencies for use in antiterror investigations, Edward Snowden revealed that the National Security Agency spied on SWIFT using a variety of methods, including reading SWIFT printer traffic from numerous banks.
Cybercriminals, meanwhile, have been abusing the SWIFT network to steal millions of dollars. Hackers have found that they can leverage vulnerabilities in SWIFT's member banks' processes and procedures, particularly those in countries where regulatory and security controls are less robust, to access their networks. An unknown number of attacks on SWIFT have hit banks hard; for example, two attacks in 2016 involved malware that issued unauthorized SWIFT messages and prevented confirmation messages from revealing the theft by altering reports when they were sent to be printed, either as paper records or as PDF reports. The Bangladesh central bank lost $81 million, while a bank in Vietnam is thought to have been the second victim. In a different attack, thieves sent authenticated SWIFT messages similar to recently canceled transfer requests to Wells Fargo from Banco del Austro (BDA) in Ecuador using the legitimate SWIFT credentials of a BDA employee, and they made off with $12 million.
SWIFT, like the internet, was conceived at a time when security was not a major consideration. That means the core protocols don't have all of the essential security controls, such as nonrepudiation, built in.
Given the mission-critical nature and size of the SWIFT network, the volume of daily messages and other technical aspects, it would be difficult to migrate to a brand new protocol; SWIFT already has to work hard just to get some members to upgrade to the newest version of the SWIFT software. Upgrading the existing protocols would be a slow process due to legacy issues, and backwards compatibly requirements usually result in a less than ideal solution. However, the security of the entire network has to be improved quickly to preserve trust in the system.
SWIFT has begun to improve its architecture, with one change being a distributed architecture with a two-zone model for storing messages. It has also partnered with cybersecurity firms BAE Systems and Fox-IT to create a new Customer Security Intelligence team.
SWIFT has to feed and receive threat intelligence to and from its members to stop multiple clients from falling victim to the same attack techniques. This requires banks to share information that could undermine public confidence, something they've always been reluctant to do in the past, but which might be vital for collaboration against a common enemy.
SWIFT certainly needs improved monitoring, detection and response to suspect messages -- an area where behavioral and context monitoring can certainly help. The false BDA SWIFT messages should have been easily spotted, as they were placed outside of normal working hours and were for unusually large amounts, while only a spelling error managed to stop cybercriminals targeting the Bangladesh central bank from stealing nearly a $1 billion.
Visa's fraud detection system provides a good example of the need to continually question whether existing security strategies are still effective and efficient at detecting targeted threat activity. Visa looks at up to 500 unique risk attributes of a payment card transaction to check for fraud, compared to the 40 it could handle before it upgraded its fraud detection system in 2013.
To help clients independently verify their messaging activity and detect any unusual patterns, SWIFT has introduced Daily Validation Reports provided through a separate channel to customers' payments and compliance teams that give an independent summary of their message flows. However, clients need to review them for these reports to be effective.
While these measures should help improve security, the main weakness in any network is its client endpoints. Instead of focusing on potential vulnerabilities in SWIFT's core messaging systems and software, hackers are exploiting holes in banks' security measures to attack the banks' connections to the SWIFT network and gain access to the SWIFT messaging system. As each bank is responsible for maintaining the security of its connection to SWIFT, mandatory levels of endpoint and user security should be a requirement before access is granted.
Security awareness training covering phishing attack techniques, as well as better separation of duties, is important to make it harder for criminals to obtain valid login credentials. Attacks show a sophisticated knowledge of specific operational controls within the targeted banks, so employee vetting and ongoing monitoring should be put in place, as well.
For SWIFT to prevent its systems from being used to defraud its clients, both SWIFT and the banks will have to improve the security they have in place, as the entire system is only as strong as its weakest user.